# app/config/security.ymlsecurity:access_denied_url:~# Example: /foo/error403# strategy can be: none, migrate, invalidatesession_fixation_strategy:migratehide_user_not_found:truealways_authenticate_before_granting:falseerase_credentials:trueaccess_decision_manager:strategy:affirmative# One of affirmative, consensus, unanimousallow_if_all_abstain:falseallow_if_equal_granted_denied:trueacl:# any name configured in doctrine.dbal sectionconnection:~cache:id:~prefix:sf2_acl_provider:~tables:class:acl_classesentry:acl_entriesobject_identity:acl_object_identitiesobject_identity_ancestors:acl_object_identity_ancestorssecurity_identity:acl_security_identitiesvoter:allow_if_object_identity_unavailable:trueencoders:# Examples:Acme\DemoBundle\Entity\User1:sha512Acme\DemoBundle\Entity\User2:algorithm:sha512encode_as_base64:trueiterations:5000# PBKDF2 encoder# see the note about PBKDF2 below for details on security and speedAcme\Your\Class\Name:algorithm:pbkdf2hash_algorithm:sha512encode_as_base64:trueiterations:1000key_length:40# Example options/values for what a custom encoder might look likeAcme\DemoBundle\Entity\User3:id:my.encoder.id# BCrypt encoder# see the note about bcrypt below for details on specific dependenciesAcme\DemoBundle\Entity\User4:algorithm:bcryptcost:13# Plaintext encoder# it does not do any encodingAcme\DemoBundle\Entity\User5:algorithm:plaintextignore_case:falseproviders:# Required# Examples:my_in_memory_provider:memory:users:foo:password:fooroles:ROLE_USERbar:password:barroles:[ROLE_USER,ROLE_ADMIN]my_entity_provider:entity:class:SecurityBundle:Userproperty:username# name of a non-default entity managermanager_name:~# Example custom providermy_some_custom_provider:id:~# Chain some providersmy_chain_provider:chain:providers:[my_in_memory_provider,my_entity_provider]firewalls:# Required# Examples:somename:pattern:.*request_matcher:some.service.idaccess_denied_url:/foo/error403access_denied_handler:some.service.identry_point:some.service.idprovider:some_key_from_above# manages where each firewall stores session information# See "Firewall Context" below for more detailscontext:context_keystateless:falsex509:provider:some_key_from_abovehttp_basic:provider:some_key_from_abovehttp_digest:provider:some_key_from_aboveform_login:# submit the login form herecheck_path:/login_check# the user is redirected here when they need to log inlogin_path:/login# if true, forward the user to the login form instead of redirectinguse_forward:false# login success redirecting options (read further below)always_use_default_target_path:falsedefault_target_path:/target_path_parameter:_target_pathuse_referer:false# login failure redirecting options (read further below)failure_path:/foofailure_forward:falsefailure_path_parameter:_failure_pathfailure_handler:some.service.idsuccess_handler:some.service.id# field names for the username and password fieldsusername_parameter:_usernamepassword_parameter:_password# csrf token optionscsrf_parameter:_csrf_tokenintention:authenticatecsrf_provider:my.csrf_provider.id# by default, the login form *must* be a POST, not a GETpost_only:trueremember_me:false# by default, a session must exist before submitting an authentication request# if false, then Request::hasPreviousSession is not called during authentication# new in Symfony 2.3require_previous_session:trueremember_me:token_provider:namekey:someS3cretKeyname:NameOfTheCookielifetime:3600# in secondspath:/foodomain:somedomain.foosecure:falsehttponly:truealways_remember_me:falseremember_me_parameter:_remember_melogout:path:/logouttarget:/invalidate_session:falsedelete_cookies:a:{path:null,domain:null}b:{path:null,domain:null}handlers:[some.service.id,another.service.id]success_handler:some.service.idanonymous:~# Default values and options for any firewallsome_firewall_listener:pattern:~security:truerequest_matcher:~access_denied_url:~access_denied_handler:~entry_point:~provider:~stateless:falsecontext:~logout:csrf_parameter:_csrf_tokencsrf_provider:~intention:logoutpath:/logouttarget:/success_handler:~invalidate_session:truedelete_cookies:# Prototypename:path:~domain:~handlers:[]anonymous:key:4f954a0667e01switch_user:provider:~parameter:_switch_userrole:ROLE_ALLOWED_TO_SWITCHaccess_control:requires_channel:~# use the urldecoded formatpath:~# Example: ^/path to resource/host:~ips:[]methods:[]roles:[]role_hierarchy:ROLE_ADMIN:[ROLE_ORGANIZER,ROLE_USER]ROLE_SUPERADMIN:[ROLE_ADMIN]

The cost can be in the range of 4-31 and determines how long a password
will be encoded. Each increment of costdoubles the time it takes
to encode a password.

If you don't provide the cost option, the default cost of 13 is
used.

Note

You can change the cost at any time — even if you already have some
passwords encoded using a different cost. New passwords will be encoded
using the new cost, while the already encoded ones will be validated
using a cost that was used back when they were encoded.

A salt for each new password is generated automatically and need not be
persisted. Since an encoded password contains the salt used to encode it,
persisting the encoded password alone is enough.

Note

All the encoded passwords are 60 characters long, so make sure to
allocate enough space for them to be persisted.

Most applications will only need one firewall.
But if your application does use multiple firewalls, you'll notice that
if you're authenticated in one firewall, you're not automatically authenticated
in another. In other words, the systems don't share a common "context":
each firewall acts like a separate security system.

However, each firewall has an optional context key (which defaults to
the name of the firewall), which is used when storing and retrieving security
data to and from the session. If this key were set to the same value across
multiple firewalls, the "context" could actually be shared: